LAMP ( Linux Apache MySQL PHP ) : Apache Web Server Security Hardening
Firewall - UFW
A good place to start is to install a Firewall.UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
Install UFW and enable, open a terminal window and enter :
:~$ sudo apt-get install ufw
Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp
Enable the firewall.
:~$ sudo ufw enable
Check the status of the firewall.
:~$ sudo ufw status verbose
SSH Hardening - key based login, disable root login and change port.
The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
After you install fail2ban (tutorial below), keeping track logs and you will noticed that a ton of IP addresses are being sshd: banned (Moslty Chinese and Russian IP addresses). Most of these brute force attacks are automated and usually target the default port 22 this would further reduce the number of attacks on your ssh service.
Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
Open a Terminal Window and enter :
:~$ sudo nano /etc/ssh/sshd_config
Change or add the following and save.
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
Update firewall :
:~$ sudo ufw allow <ENTER YOUR PORT>/tcp
Delete Rules
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways specify which rules to delete: by rule number or by the actual rule (similar to how the rules were specified when they were created). We'll start with the delete by rule number method because it is easier, compared to writing the actual rules to delete, if you're new to UFW.
By Rule Number
If you're using the rule number to delete firewall rules, the first thing you'll want to do is get a list of your firewall rules. The UFW status command has an option to display numbers next to each rule, as demonstrated here:
:~$ sudo ufw status numbered
Numbered Output:
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN Anywhere
If we decide that we want to delete rule 1, the one that allows port 22 (SSH) connections, we can specify it in a UFW delete command like this:
:~$ sudo ufw delete 1
:~$ sudo service ufw restart
:~$ sudo service ssh restart
Protect su by limiting access only to admin group
To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
Open a terminal window and enter:
:~$ sudo groupadd admin
:~$ sudo usermod -a -G admin <YOUR ADMIN USERNAME>
:~$ sudo dpkg-statoverride --update --add root admin 4750 /bin/su
MOD SECURITY
For Ubuntu 16.04 and below::~$ sudo apt-get install libapache2-modsecurity
For Ubuntu 18.04:
:~$ sudo apt-get install libapache2-mod-security2
:~$ sudo a2enmod headers
:~$ sudo a2enmod security2
apache2ctl -M | grep -i security
security2_module (shared)
MOD EVASIVE
:~$ sudo apt-get install libapache2-mod-evasive:~$ sudo apachectl -M | grep evasive
Configure Mod_evasive
The mod_evasive module reads its configuration from “/etc/apache2/mods-enabled/evasive.conf.” You can easily customize the mod_evasive module through the “evasive.conf” configuration file. By default, mod_evasive configuration options are disabled, so you will need to enable them first. To do this, edit the “evasive.conf” file:
:~$ sudo mkdir /var/log/mod_evasive
:~$ sudo chown www-data:www-data /var/log/mod_evasive/
:~$ sudo nano /etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify you@yourdomain.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
:~$ sudo a2enmod evasive
FAIL2BAN
:~$ sudo apt-get install fail2banSince this file can be modified by package upgrades, we should not edit this file in-place, but rather copy it so that we can make our changes safely.
:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
:~$ sudo nano /etc/fail2ban/jail.local
Read some instruction included in the file, find and update these:
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
destemail = youraccount@email.com
sendername = Fail2BanAlerts
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
[sshd]
enabled = true
[apache-auth]
enabled = true
[apache-badbots]
enabled = true
[apache-overflows]
enabled = true
[apache-nohome]
INSTALL ZIP
:~$ sudo apt install unzipDDOS DEFLATE
https://github.com/jgmdev/ddos-deflateInstallation
As root user execute the following commands:
:~$ wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
:~$ unzip master.zip
:~$ cd ddos-deflate-master
:~$ sudo ./install.sh
Uninstallation
As root user execute the following commands:
:~$ cd ddos-deflate-master
:~$ ./uninstall.sh
Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.
:~$ sudo nano /etc/ddos/ignore.host.list
On this file you can add a list of host names to be whitelisted, for example:
googlebot.com
my-dynamic-ip.somehost.com
:~$ sudo nano /etc/ddos/ignore.ip.list
On this file you can add a list of ip addresses to be whitelisted, for example:
12.43.63.13
129.134.131.2
:~$ sudo nano /etc/ddos/ddos.conf
The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.
After you modify the config files you will need to restart the daemon. If running on systemd:
:~$ sudo systemctl restart ddos
If running as classical init.d script:
:~$ /etc/init.d/ddos restart
or
:~$ sudo service ddos restart
if you encounter this error
Job for ddos.service failed because the control process exited with error code. See "systemctl status ddos.service" and "journalctl -xe" for details.
or this
/usr/local/ddos/ddos.sh: 25: [: /etc/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.9
Copyright (C) 2005, Zaf <zaf@vsnl.com>
$CONF not found.
To fix this open ddos.sh
:~$ sudo nano /usr/local/ddos/ddos.sh
change the first line from #!/bin/sh to #!/bin/bash
SECURE WORDPRESS PINGBACK DDOS ATTACK
:~$ sudo nano /etc/apache2/apache2.conf
Update:
<Directory /var/www/>
Options -Indexes
AllowOverride All
Require all granted
BrowserMatchNoCase WordPress wordpress_ping
BrowserMatchNoCase Wordpress wordpress_ping
Order Deny,Allow
Deny from env=wordpress_ping
</Directory>
:~$ sudo service apache2 restart
SSL
:~$ sudo a2enmod sslProtect Your Server Against the Dirty COW Linux Vulnerability
:~$ sudo apt-get update && sudo apt-get dist-upgrade
:~$ sudo reboot
Learn more about dirty cow : https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-dirty-cow-linux-vulnerability
PREVIOUS POST :
Comments